Securing the iDashboards Application

Summary:

This topic will talk about some simple steps that can be taken to secure information within Tomcat. The two configuration we will look at are httpOnly, custom 404 and 500 error messages pages.

Resolution:

HttpOnly

Tomcat 6.5 and later has this option turned on automatically. To ensure that it’s working, adding the configuration in is still a good idea. This can be accomplished by editing the context.xml file located in the $CATALINA_BASE\conf folder (By default $CATALINA_BASE will be in a directory similar to C:\Program Files\Apache Software Foundation\Tomcat 7.0\).

<Context> will be the first line that is not commented out. Edit this line so that it looks like <Context path="/idashboards" useHttpOnly="true">

Save the file.

Restart Tomcat.

Custom 404 and 500 Error Messages

This will create a redirection page so that if the application is down or the user types in the wrong address the user will be forwarded to a page of your design. This helps secure the information that can be accessed from the error messages.

<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>

<error-page>

<error-code>404</error-code>

<location>/errors/404_Error.html</location>

</error-page>

<error-page>

<error-code>500</error-code>

<location>/errors/500_Error.html</location>

</error-page>

Locate the $CATALINA_BASE\webapps\idashboards\WEB-INF\web.xml file. (By default $CATALINA_BASE will be in a directory similar to C:\Program Files\Apache Software Foundation\Tomcat 7.0\).

Go to the very bottom of the file. Locate the following:

Below this section add the following:

Create a folder call 'errors' in the $CATALINA_BASE\webapps\idashboards directory.

Within that folder you will need to create the two html pages from above, '404_Error.html' and '500_Error.html':